shogun-core 5.2.0 → 5.2.1

package/dist/browser/defaultVendors-node_modules_noble_ciphers_chacha_js.shogun-core.js

@@ -0,0 +1,999 @@
+"use strict";
+(this["webpackChunkShogunCore"] = this["webpackChunkShogunCore"] || []).push([["defaultVendors-node_modules_noble_ciphers_chacha_js"],{
+
+/***/ "./node_modules/@noble/ciphers/chacha.js":
+/*!***********************************************************!*\
+  !*** ./node_modules/@noble/ciphers/chacha.js + 2 modules ***!
+  \***********************************************************/
+/***/ ((__unused_webpack___webpack_module__, __webpack_exports__, __webpack_require__) => {
+
+// ESM COMPAT FLAG
+__webpack_require__.r(__webpack_exports__);
+
+// EXPORTS
+__webpack_require__.d(__webpack_exports__, {
+  _poly1305_aead: () => (/* binding */ _poly1305_aead),
+  chacha12: () => (/* binding */ chacha12),
+  chacha20: () => (/* binding */ chacha20),
+  chacha20orig: () => (/* binding */ chacha20orig),
+  chacha20poly1305: () => (/* binding */ chacha20poly1305),
+  chacha8: () => (/* binding */ chacha8),
+  hchacha: () => (/* binding */ hchacha),
+  rngChacha20: () => (/* binding */ rngChacha20),
+  rngChacha8: () => (/* binding */ rngChacha8),
+  xchacha20: () => (/* binding */ xchacha20),
+  xchacha20poly1305: () => (/* binding */ xchacha20poly1305)
+});
+
+// EXTERNAL MODULE: ./node_modules/@noble/ciphers/utils.js
+var utils = __webpack_require__("./node_modules/@noble/ciphers/utils.js");
+;// ./node_modules/@noble/ciphers/_arx.js
+/**
+ * Basic utils for ARX (add-rotate-xor) salsa and chacha ciphers.
+
+RFC8439 requires multi-step cipher stream, where
+authKey starts with counter: 0, actual msg with counter: 1.
+
+For this, we need a way to re-use nonce / counter:
+
+    const counter = new Uint8Array(4);
+    chacha(..., counter, ...); // counter is now 1
+    chacha(..., counter, ...); // counter is now 2
+
+This is complicated:
+
+- 32-bit counters are enough, no need for 64-bit: max ArrayBuffer size in JS is 4GB
+- Original papers don't allow mutating counters
+- Counter overflow is undefined [^1]
+- Idea A: allow providing (nonce | counter) instead of just nonce, re-use it
+- Caveat: Cannot be re-used through all cases:
+- * chacha has (counter | nonce)
+- * xchacha has (nonce16 | counter | nonce16)
+- Idea B: separate nonce / counter and provide separate API for counter re-use
+- Caveat: there are different counter sizes depending on an algorithm.
+- salsa & chacha also differ in structures of key & sigma:
+  salsa20:      s[0] | k(4) | s[1] | nonce(2) | cnt(2) | s[2] | k(4) | s[3]
+  chacha:       s(4) | k(8) | cnt(1) | nonce(3)
+  chacha20orig: s(4) | k(8) | cnt(2) | nonce(2)
+- Idea C: helper method such as `setSalsaState(key, nonce, sigma, data)`
+- Caveat: we can't re-use counter array
+
+xchacha [^2] uses the subkey and remaining 8 byte nonce with ChaCha20 as normal
+(prefixed by 4 NUL bytes, since [RFC8439] specifies a 12-byte nonce).
+
+[^1]: https://mailarchive.ietf.org/arch/msg/cfrg/gsOnTJzcbgG6OqD8Sc0GO5aR_tU/
+[^2]: https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha#appendix-A.2
+
+ * @module
+ */
+
+// Replaces `TextEncoder`, which is not available in all environments
+const encodeStr = (str) => Uint8Array.from(str.split(''), (c) => c.charCodeAt(0));
+const sigma16 = encodeStr('expand 16-byte k');
+const sigma32 = encodeStr('expand 32-byte k');
+const sigma16_32 = (0,utils.u32)(sigma16);
+const sigma32_32 = (0,utils.u32)(sigma32);
+/** Rotate left. */
+function rotl(a, b) {
+    return (a << b) | (a >>> (32 - b));
+}
+// Is byte array aligned to 4 byte offset (u32)?
+function isAligned32(b) {
+    return b.byteOffset % 4 === 0;
+}
+// Salsa and Chacha block length is always 512-bit
+const BLOCK_LEN = 64;
+const BLOCK_LEN32 = 16;
+// new Uint32Array([2**32])   // => Uint32Array(1) [ 0 ]
+// new Uint32Array([2**32-1]) // => Uint32Array(1) [ 4294967295 ]
+const MAX_COUNTER = 2 ** 32 - 1;
+const U32_EMPTY = Uint32Array.of();
+function runCipher(core, sigma, key, nonce, data, output, counter, rounds) {
+    const len = data.length;
+    const block = new Uint8Array(BLOCK_LEN);
+    const b32 = (0,utils.u32)(block);
+    // Make sure that buffers aligned to 4 bytes
+    const isAligned = isAligned32(data) && isAligned32(output);
+    const d32 = isAligned ? (0,utils.u32)(data) : U32_EMPTY;
+    const o32 = isAligned ? (0,utils.u32)(output) : U32_EMPTY;
+    for (let pos = 0; pos < len; counter++) {
+        core(sigma, key, nonce, b32, counter, rounds);
+        if (counter >= MAX_COUNTER)
+            throw new Error('arx: counter overflow');
+        const take = Math.min(BLOCK_LEN, len - pos);
+        // aligned to 4 bytes
+        if (isAligned && take === BLOCK_LEN) {
+            const pos32 = pos / 4;
+            if (pos % 4 !== 0)
+                throw new Error('arx: invalid block position');
+            for (let j = 0, posj; j < BLOCK_LEN32; j++) {
+                posj = pos32 + j;
+                o32[posj] = d32[posj] ^ b32[j];
+            }
+            pos += BLOCK_LEN;
+            continue;
+        }
+        for (let j = 0, posj; j < take; j++) {
+            posj = pos + j;
+            output[posj] = data[posj] ^ block[j];
+        }
+        pos += take;
+    }
+}
+/** Creates ARX-like (ChaCha, Salsa) cipher stream from core function. */
+function createCipher(core, opts) {
+    const { allowShortKeys, extendNonceFn, counterLength, counterRight, rounds } = (0,utils.checkOpts)({ allowShortKeys: false, counterLength: 8, counterRight: false, rounds: 20 }, opts);
+    if (typeof core !== 'function')
+        throw new Error('core must be a function');
+    (0,utils.anumber)(counterLength);
+    (0,utils.anumber)(rounds);
+    (0,utils.abool)(counterRight);
+    (0,utils.abool)(allowShortKeys);
+    return (key, nonce, data, output, counter = 0) => {
+        (0,utils.abytes)(key, undefined, 'key');
+        (0,utils.abytes)(nonce, undefined, 'nonce');
+        (0,utils.abytes)(data, undefined, 'data');
+        const len = data.length;
+        if (output === undefined)
+            output = new Uint8Array(len);
+        (0,utils.abytes)(output, undefined, 'output');
+        (0,utils.anumber)(counter);
+        if (counter < 0 || counter >= MAX_COUNTER)
+            throw new Error('arx: counter overflow');
+        if (output.length < len)
+            throw new Error(`arx: output (${output.length}) is shorter than data (${len})`);
+        const toClean = [];
+        // Key & sigma
+        // key=16 -> sigma16, k=key|key
+        // key=32 -> sigma32, k=key
+        let l = key.length;
+        let k;
+        let sigma;
+        if (l === 32) {
+            toClean.push((k = (0,utils.copyBytes)(key)));
+            sigma = sigma32_32;
+        }
+        else if (l === 16 && allowShortKeys) {
+            k = new Uint8Array(32);
+            k.set(key);
+            k.set(key, 16);
+            sigma = sigma16_32;
+            toClean.push(k);
+        }
+        else {
+            (0,utils.abytes)(key, 32, 'arx key');
+            throw new Error('invalid key size');
+            // throw new Error(`"arx key" expected Uint8Array of length 32, got length=${l}`);
+        }
+        // Nonce
+        // salsa20:      8   (8-byte counter)
+        // chacha20orig: 8   (8-byte counter)
+        // chacha20:     12  (4-byte counter)
+        // xsalsa20:     24  (16 -> hsalsa,  8 -> old nonce)
+        // xchacha20:    24  (16 -> hchacha, 8 -> old nonce)
+        // Align nonce to 4 bytes
+        if (!isAligned32(nonce))
+            toClean.push((nonce = (0,utils.copyBytes)(nonce)));
+        const k32 = (0,utils.u32)(k);
+        // hsalsa & hchacha: handle extended nonce
+        if (extendNonceFn) {
+            if (nonce.length !== 24)
+                throw new Error(`arx: extended nonce must be 24 bytes`);
+            extendNonceFn(sigma, k32, (0,utils.u32)(nonce.subarray(0, 16)), k32);
+            nonce = nonce.subarray(16);
+        }
+        // Handle nonce counter
+        const nonceNcLen = 16 - counterLength;
+        if (nonceNcLen !== nonce.length)
+            throw new Error(`arx: nonce must be ${nonceNcLen} or 16 bytes`);
+        // Pad counter when nonce is 64 bit
+        if (nonceNcLen !== 12) {
+            const nc = new Uint8Array(12);
+            nc.set(nonce, counterRight ? 0 : 12 - nonce.length);
+            nonce = nc;
+            toClean.push(nonce);
+        }
+        const n32 = (0,utils.u32)(nonce);
+        runCipher(core, sigma, k32, n32, data, output, counter, rounds);
+        (0,utils.clean)(...toClean);
+        return output;
+    };
+}
+/** Internal class which wraps chacha20 or chacha8 to create CSPRNG. */
+class _XorStreamPRG {
+    blockLen;
+    keyLen;
+    nonceLen;
+    state;
+    buf;
+    key;
+    nonce;
+    pos;
+    ctr;
+    cipher;
+    constructor(cipher, blockLen, keyLen, nonceLen, seed) {
+        this.cipher = cipher;
+        this.blockLen = blockLen;
+        this.keyLen = keyLen;
+        this.nonceLen = nonceLen;
+        this.state = new Uint8Array(this.keyLen + this.nonceLen);
+        this.reseed(seed);
+        this.ctr = 0;
+        this.pos = this.blockLen;
+        this.buf = new Uint8Array(this.blockLen);
+        this.key = this.state.subarray(0, this.keyLen);
+        this.nonce = this.state.subarray(this.keyLen);
+    }
+    reseed(seed) {
+        (0,utils.abytes)(seed);
+        if (!seed || seed.length === 0)
+            throw new Error('entropy required');
+        for (let i = 0; i < seed.length; i++)
+            this.state[i % this.state.length] ^= seed[i];
+        this.ctr = 0;
+        this.pos = this.blockLen;
+    }
+    addEntropy(seed) {
+        this.state.set(this.randomBytes(this.state.length));
+        this.reseed(seed);
+    }
+    randomBytes(len) {
+        (0,utils.anumber)(len);
+        if (len === 0)
+            return new Uint8Array(0);
+        const out = new Uint8Array(len);
+        let outPos = 0;
+        // Leftovers
+        if (this.pos < this.blockLen) {
+            const take = Math.min(len, this.blockLen - this.pos);
+            out.set(this.buf.subarray(this.pos, this.pos + take), 0);
+            this.pos += take;
+            outPos += take;
+            if (outPos === len)
+                return out; // fast path
+        }
+        // Full blocks directly to out
+        const blocks = Math.floor((len - outPos) / this.blockLen);
+        if (blocks > 0) {
+            const blockBytes = blocks * this.blockLen;
+            const b = out.subarray(outPos, outPos + blockBytes);
+            this.cipher(this.key, this.nonce, b, b, this.ctr);
+            this.ctr += blocks;
+            outPos += blockBytes;
+        }
+        // Save leftovers
+        const left = len - outPos;
+        if (left > 0) {
+            this.buf.fill(0);
+            // NOTE: cipher will handle overflow
+            this.cipher(this.key, this.nonce, this.buf, this.buf, this.ctr++);
+            out.set(this.buf.subarray(0, left), outPos);
+            this.pos = left;
+        }
+        return out;
+    }
+    clone() {
+        return new _XorStreamPRG(this.cipher, this.blockLen, this.keyLen, this.nonceLen, this.randomBytes(this.state.length));
+    }
+    clean() {
+        this.pos = 0;
+        this.ctr = 0;
+        this.buf.fill(0);
+        this.state.fill(0);
+    }
+}
+const createPRG = (cipher, blockLen, keyLen, nonceLen) => {
+    return (seed = (0,utils.randomBytes)(32)) => new _XorStreamPRG(cipher, blockLen, keyLen, nonceLen, seed);
+};
+//# sourceMappingURL=_arx.js.map
+;// ./node_modules/@noble/ciphers/_poly1305.js
+/**
+ * Poly1305 ([PDF](https://cr.yp.to/mac/poly1305-20050329.pdf),
+ * [wiki](https://en.wikipedia.org/wiki/Poly1305))
+ * is a fast and parallel secret-key message-authentication code suitable for
+ * a wide variety of applications. It was standardized in
+ * [RFC 8439](https://www.rfc-editor.org/rfc/rfc8439) and is now used in TLS 1.3.
+ *
+ * Polynomial MACs are not perfect for every situation:
+ * they lack Random Key Robustness: the MAC can be forged, and can't be used in PAKE schemes.
+ * See [invisible salamanders attack](https://keymaterial.net/2020/09/07/invisible-salamanders-in-aes-gcm-siv/).
+ * To combat invisible salamanders, `hash(key)` can be included in ciphertext,
+ * however, this would violate ciphertext indistinguishability:
+ * an attacker would know which key was used - so `HKDF(key, i)`
+ * could be used instead.
+ *
+ * Check out [original website](https://cr.yp.to/mac.html).
+ * Based on Public Domain [poly1305-donna](https://github.com/floodyberry/poly1305-donna).
+ * @module
+ */
+// prettier-ignore
+
+function u8to16(a, i) {
+    return (a[i++] & 0xff) | ((a[i++] & 0xff) << 8);
+}
+function bytesToNumberLE(bytes) {
+    return (0,utils.hexToNumber)((0,utils.bytesToHex)(Uint8Array.from(bytes).reverse()));
+}
+/** Small version of `poly1305` without loop unrolling. Unused, provided for auditability. */
+function poly1305_small(msg, key) {
+    (0,utils.abytes)(msg);
+    (0,utils.abytes)(key, 32, 'key');
+    const POW_2_130_5 = BigInt(2) ** BigInt(130) - BigInt(5); // 2^130-5
+    const POW_2_128_1 = BigInt(2) ** BigInt(128) - BigInt(1); // 2^128-1
+    const CLAMP_R = BigInt('0x0ffffffc0ffffffc0ffffffc0fffffff');
+    const r = bytesToNumberLE(key.subarray(0, 16)) & CLAMP_R;
+    const s = bytesToNumberLE(key.subarray(16));
+    // Process by 16 byte chunks
+    let acc = BigInt(0);
+    for (let i = 0; i < msg.length; i += 16) {
+        const m = msg.subarray(i, i + 16);
+        const n = bytesToNumberLE(m) | (BigInt(1) << BigInt(8 * m.length));
+        acc = ((acc + n) * r) % POW_2_130_5;
+    }
+    const res = (acc + s) & POW_2_128_1;
+    return (0,utils.numberToBytesBE)(res, 16).reverse(); // LE
+}
+// Can be used to replace `computeTag` in chacha.ts. Unused, provided for auditability.
+// @ts-expect-error
+function poly1305_computeTag_small(authKey, lengths, ciphertext, AAD) {
+    const res = [];
+    const updatePadded2 = (msg) => {
+        res.push(msg);
+        const leftover = msg.length % 16;
+        if (leftover)
+            res.push(new Uint8Array(16).slice(leftover));
+    };
+    if (AAD)
+        updatePadded2(AAD);
+    updatePadded2(ciphertext);
+    res.push(lengths);
+    return poly1305_small((0,utils.concatBytes)(...res), authKey);
+}
+/** Poly1305 class. Prefer poly1305() function instead. */
+class Poly1305 {
+    blockLen = 16;
+    outputLen = 16;
+    buffer = new Uint8Array(16);
+    r = new Uint16Array(10); // Allocating 1 array with .subarray() here is slower than 3
+    h = new Uint16Array(10);
+    pad = new Uint16Array(8);
+    pos = 0;
+    finished = false;
+    // Can be speed-up using BigUint64Array, at the cost of complexity
+    constructor(key) {
+        key = (0,utils.copyBytes)((0,utils.abytes)(key, 32, 'key'));
+        const t0 = u8to16(key, 0);
+        const t1 = u8to16(key, 2);
+        const t2 = u8to16(key, 4);
+        const t3 = u8to16(key, 6);
+        const t4 = u8to16(key, 8);
+        const t5 = u8to16(key, 10);
+        const t6 = u8to16(key, 12);
+        const t7 = u8to16(key, 14);
+        // https://github.com/floodyberry/poly1305-donna/blob/e6ad6e091d30d7f4ec2d4f978be1fcfcbce72781/poly1305-donna-16.h#L47
+        this.r[0] = t0 & 0x1fff;
+        this.r[1] = ((t0 >>> 13) | (t1 << 3)) & 0x1fff;
+        this.r[2] = ((t1 >>> 10) | (t2 << 6)) & 0x1f03;
+        this.r[3] = ((t2 >>> 7) | (t3 << 9)) & 0x1fff;
+        this.r[4] = ((t3 >>> 4) | (t4 << 12)) & 0x00ff;
+        this.r[5] = (t4 >>> 1) & 0x1ffe;
+        this.r[6] = ((t4 >>> 14) | (t5 << 2)) & 0x1fff;
+        this.r[7] = ((t5 >>> 11) | (t6 << 5)) & 0x1f81;
+        this.r[8] = ((t6 >>> 8) | (t7 << 8)) & 0x1fff;
+        this.r[9] = (t7 >>> 5) & 0x007f;
+        for (let i = 0; i < 8; i++)
+            this.pad[i] = u8to16(key, 16 + 2 * i);
+    }
+    process(data, offset, isLast = false) {
+        const hibit = isLast ? 0 : 1 << 11;
+        const { h, r } = this;
+        const r0 = r[0];
+        const r1 = r[1];
+        const r2 = r[2];
+        const r3 = r[3];
+        const r4 = r[4];
+        const r5 = r[5];
+        const r6 = r[6];
+        const r7 = r[7];
+        const r8 = r[8];
+        const r9 = r[9];
+        const t0 = u8to16(data, offset + 0);
+        const t1 = u8to16(data, offset + 2);
+        const t2 = u8to16(data, offset + 4);
+        const t3 = u8to16(data, offset + 6);
+        const t4 = u8to16(data, offset + 8);
+        const t5 = u8to16(data, offset + 10);
+        const t6 = u8to16(data, offset + 12);
+        const t7 = u8to16(data, offset + 14);
+        let h0 = h[0] + (t0 & 0x1fff);
+        let h1 = h[1] + (((t0 >>> 13) | (t1 << 3)) & 0x1fff);
+        let h2 = h[2] + (((t1 >>> 10) | (t2 << 6)) & 0x1fff);
+        let h3 = h[3] + (((t2 >>> 7) | (t3 << 9)) & 0x1fff);
+        let h4 = h[4] + (((t3 >>> 4) | (t4 << 12)) & 0x1fff);
+        let h5 = h[5] + ((t4 >>> 1) & 0x1fff);
+        let h6 = h[6] + (((t4 >>> 14) | (t5 << 2)) & 0x1fff);
+        let h7 = h[7] + (((t5 >>> 11) | (t6 << 5)) & 0x1fff);
+        let h8 = h[8] + (((t6 >>> 8) | (t7 << 8)) & 0x1fff);
+        let h9 = h[9] + ((t7 >>> 5) | hibit);
+        let c = 0;
+        let d0 = c + h0 * r0 + h1 * (5 * r9) + h2 * (5 * r8) + h3 * (5 * r7) + h4 * (5 * r6);
+        c = d0 >>> 13;
+        d0 &= 0x1fff;
+        d0 += h5 * (5 * r5) + h6 * (5 * r4) + h7 * (5 * r3) + h8 * (5 * r2) + h9 * (5 * r1);
+        c += d0 >>> 13;
+        d0 &= 0x1fff;
+        let d1 = c + h0 * r1 + h1 * r0 + h2 * (5 * r9) + h3 * (5 * r8) + h4 * (5 * r7);
+        c = d1 >>> 13;
+        d1 &= 0x1fff;
+        d1 += h5 * (5 * r6) + h6 * (5 * r5) + h7 * (5 * r4) + h8 * (5 * r3) + h9 * (5 * r2);
+        c += d1 >>> 13;
+        d1 &= 0x1fff;
+        let d2 = c + h0 * r2 + h1 * r1 + h2 * r0 + h3 * (5 * r9) + h4 * (5 * r8);
+        c = d2 >>> 13;
+        d2 &= 0x1fff;
+        d2 += h5 * (5 * r7) + h6 * (5 * r6) + h7 * (5 * r5) + h8 * (5 * r4) + h9 * (5 * r3);
+        c += d2 >>> 13;
+        d2 &= 0x1fff;
+        let d3 = c + h0 * r3 + h1 * r2 + h2 * r1 + h3 * r0 + h4 * (5 * r9);
+        c = d3 >>> 13;
+        d3 &= 0x1fff;
+        d3 += h5 * (5 * r8) + h6 * (5 * r7) + h7 * (5 * r6) + h8 * (5 * r5) + h9 * (5 * r4);
+        c += d3 >>> 13;
+        d3 &= 0x1fff;
+        let d4 = c + h0 * r4 + h1 * r3 + h2 * r2 + h3 * r1 + h4 * r0;
+        c = d4 >>> 13;
+        d4 &= 0x1fff;
+        d4 += h5 * (5 * r9) + h6 * (5 * r8) + h7 * (5 * r7) + h8 * (5 * r6) + h9 * (5 * r5);
+        c += d4 >>> 13;
+        d4 &= 0x1fff;
+        let d5 = c + h0 * r5 + h1 * r4 + h2 * r3 + h3 * r2 + h4 * r1;
+        c = d5 >>> 13;
+        d5 &= 0x1fff;
+        d5 += h5 * r0 + h6 * (5 * r9) + h7 * (5 * r8) + h8 * (5 * r7) + h9 * (5 * r6);
+        c += d5 >>> 13;
+        d5 &= 0x1fff;
+        let d6 = c + h0 * r6 + h1 * r5 + h2 * r4 + h3 * r3 + h4 * r2;
+        c = d6 >>> 13;
+        d6 &= 0x1fff;
+        d6 += h5 * r1 + h6 * r0 + h7 * (5 * r9) + h8 * (5 * r8) + h9 * (5 * r7);
+        c += d6 >>> 13;
+        d6 &= 0x1fff;
+        let d7 = c + h0 * r7 + h1 * r6 + h2 * r5 + h3 * r4 + h4 * r3;
+        c = d7 >>> 13;
+        d7 &= 0x1fff;
+        d7 += h5 * r2 + h6 * r1 + h7 * r0 + h8 * (5 * r9) + h9 * (5 * r8);
+        c += d7 >>> 13;
+        d7 &= 0x1fff;
+        let d8 = c + h0 * r8 + h1 * r7 + h2 * r6 + h3 * r5 + h4 * r4;
+        c = d8 >>> 13;
+        d8 &= 0x1fff;
+        d8 += h5 * r3 + h6 * r2 + h7 * r1 + h8 * r0 + h9 * (5 * r9);
+        c += d8 >>> 13;
+        d8 &= 0x1fff;
+        let d9 = c + h0 * r9 + h1 * r8 + h2 * r7 + h3 * r6 + h4 * r5;
+        c = d9 >>> 13;
+        d9 &= 0x1fff;
+        d9 += h5 * r4 + h6 * r3 + h7 * r2 + h8 * r1 + h9 * r0;
+        c += d9 >>> 13;
+        d9 &= 0x1fff;
+        c = ((c << 2) + c) | 0;
+        c = (c + d0) | 0;
+        d0 = c & 0x1fff;
+        c = c >>> 13;
+        d1 += c;
+        h[0] = d0;
+        h[1] = d1;
+        h[2] = d2;
+        h[3] = d3;
+        h[4] = d4;
+        h[5] = d5;
+        h[6] = d6;
+        h[7] = d7;
+        h[8] = d8;
+        h[9] = d9;
+    }
+    finalize() {
+        const { h, pad } = this;
+        const g = new Uint16Array(10);
+        let c = h[1] >>> 13;
+        h[1] &= 0x1fff;
+        for (let i = 2; i < 10; i++) {
+            h[i] += c;
+            c = h[i] >>> 13;
+            h[i] &= 0x1fff;
+        }
+        h[0] += c * 5;
+        c = h[0] >>> 13;
+        h[0] &= 0x1fff;
+        h[1] += c;
+        c = h[1] >>> 13;
+        h[1] &= 0x1fff;
+        h[2] += c;
+        g[0] = h[0] + 5;
+        c = g[0] >>> 13;
+        g[0] &= 0x1fff;
+        for (let i = 1; i < 10; i++) {
+            g[i] = h[i] + c;
+            c = g[i] >>> 13;
+            g[i] &= 0x1fff;
+        }
+        g[9] -= 1 << 13;
+        let mask = (c ^ 1) - 1;
+        for (let i = 0; i < 10; i++)
+            g[i] &= mask;
+        mask = ~mask;
+        for (let i = 0; i < 10; i++)
+            h[i] = (h[i] & mask) | g[i];
+        h[0] = (h[0] | (h[1] << 13)) & 0xffff;
+        h[1] = ((h[1] >>> 3) | (h[2] << 10)) & 0xffff;
+        h[2] = ((h[2] >>> 6) | (h[3] << 7)) & 0xffff;
+        h[3] = ((h[3] >>> 9) | (h[4] << 4)) & 0xffff;
+        h[4] = ((h[4] >>> 12) | (h[5] << 1) | (h[6] << 14)) & 0xffff;
+        h[5] = ((h[6] >>> 2) | (h[7] << 11)) & 0xffff;
+        h[6] = ((h[7] >>> 5) | (h[8] << 8)) & 0xffff;
+        h[7] = ((h[8] >>> 8) | (h[9] << 5)) & 0xffff;
+        let f = h[0] + pad[0];
+        h[0] = f & 0xffff;
+        for (let i = 1; i < 8; i++) {
+            f = (((h[i] + pad[i]) | 0) + (f >>> 16)) | 0;
+            h[i] = f & 0xffff;
+        }
+        (0,utils.clean)(g);
+    }
+    update(data) {
+        (0,utils.aexists)(this);
+        (0,utils.abytes)(data);
+        data = (0,utils.copyBytes)(data);
+        const { buffer, blockLen } = this;
+        const len = data.length;
+        for (let pos = 0; pos < len;) {
+            const take = Math.min(blockLen - this.pos, len - pos);
+            // Fast path: we have at least one block in input
+            if (take === blockLen) {
+                for (; blockLen <= len - pos; pos += blockLen)
+                    this.process(data, pos);
+                continue;
+            }
+            buffer.set(data.subarray(pos, pos + take), this.pos);
+            this.pos += take;
+            pos += take;
+            if (this.pos === blockLen) {
+                this.process(buffer, 0, false);
+                this.pos = 0;
+            }
+        }
+        return this;
+    }
+    destroy() {
+        (0,utils.clean)(this.h, this.r, this.buffer, this.pad);
+    }
+    digestInto(out) {
+        (0,utils.aexists)(this);
+        (0,utils.aoutput)(out, this);
+        this.finished = true;
+        const { buffer, h } = this;
+        let { pos } = this;
+        if (pos) {
+            buffer[pos++] = 1;
+            for (; pos < 16; pos++)
+                buffer[pos] = 0;
+            this.process(buffer, 0, true);
+        }
+        this.finalize();
+        let opos = 0;
+        for (let i = 0; i < 8; i++) {
+            out[opos++] = h[i] >>> 0;
+            out[opos++] = h[i] >>> 8;
+        }
+        return out;
+    }
+    digest() {
+        const { buffer, outputLen } = this;
+        this.digestInto(buffer);
+        const res = buffer.slice(0, outputLen);
+        this.destroy();
+        return res;
+    }
+}
+function wrapConstructorWithKey(hashCons) {
+    const hashC = (msg, key) => hashCons(key).update(msg).digest();
+    const tmp = hashCons(new Uint8Array(32)); // tmp array, used just once below
+    hashC.outputLen = tmp.outputLen;
+    hashC.blockLen = tmp.blockLen;
+    hashC.create = (key) => hashCons(key);
+    return hashC;
+}
+/** Poly1305 MAC from RFC 8439. */
+const poly1305 = /** @__PURE__ */ (() => wrapConstructorWithKey((key) => new Poly1305(key)))();
+//# sourceMappingURL=_poly1305.js.map
+;// ./node_modules/@noble/ciphers/chacha.js
+/**
+ * ChaCha stream cipher, released
+ * in 2008. Developed after Salsa20, ChaCha aims to increase diffusion per round.
+ * It was standardized in [RFC 8439](https://www.rfc-editor.org/rfc/rfc8439) and
+ * is now used in TLS 1.3.
+ *
+ * [XChaCha20](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha)
+ * extended-nonce variant is also provided. Similar to XSalsa, it's safe to use with
+ * randomly-generated nonces.
+ *
+ * Check out [PDF](http://cr.yp.to/chacha/chacha-20080128.pdf) and
+ * [wiki](https://en.wikipedia.org/wiki/Salsa20) and
+ * [website](https://cr.yp.to/chacha.html).
+ *
+ * @module
+ */
+
+
+
+/**
+ * ChaCha core function. It is implemented twice:
+ * 1. Simple loop (chachaCore_small, hchacha_small)
+ * 2. Unrolled loop (chachaCore, hchacha) - 4x faster, but larger & harder to read
+ * The specific implementation is selected in `createCipher` below.
+ */
+/** quarter-round */
+// prettier-ignore
+function chachaQR(x, a, b, c, d) {
+    x[a] = (x[a] + x[b]) | 0;
+    x[d] = rotl(x[d] ^ x[a], 16);
+    x[c] = (x[c] + x[d]) | 0;
+    x[b] = rotl(x[b] ^ x[c], 12);
+    x[a] = (x[a] + x[b]) | 0;
+    x[d] = rotl(x[d] ^ x[a], 8);
+    x[c] = (x[c] + x[d]) | 0;
+    x[b] = rotl(x[b] ^ x[c], 7);
+}
+/** single round */
+function chachaRound(x, rounds = 20) {
+    for (let r = 0; r < rounds; r += 2) {
+        chachaQR(x, 0, 4, 8, 12);
+        chachaQR(x, 1, 5, 9, 13);
+        chachaQR(x, 2, 6, 10, 14);
+        chachaQR(x, 3, 7, 11, 15);
+        chachaQR(x, 0, 5, 10, 15);
+        chachaQR(x, 1, 6, 11, 12);
+        chachaQR(x, 2, 7, 8, 13);
+        chachaQR(x, 3, 4, 9, 14);
+    }
+}
+const ctmp = /* @__PURE__ */ new Uint32Array(16);
+/** Small version of chacha without loop unrolling. Unused, provided for auditability. */
+// prettier-ignore
+function chacha(s, k, i, out, isHChacha = true, rounds = 20) {
+    // Create initial array using common pattern
+    const y = Uint32Array.from([
+        s[0], s[1], s[2], s[3], // "expa"   "nd 3"  "2-by"  "te k"
+        k[0], k[1], k[2], k[3], // Key      Key     Key     Key
+        k[4], k[5], k[6], k[7], // Key      Key     Key     Key
+        i[0], i[1], i[2], i[3], // Counter  Counter Nonce   Nonce
+    ]);
+    const x = ctmp;
+    x.set(y);
+    chachaRound(x, rounds);
+    // hchacha extracts 8 specific bytes, chacha adds orig to result
+    if (isHChacha) {
+        const xindexes = [0, 1, 2, 3, 12, 13, 14, 15];
+        for (let i = 0; i < 8; i++)
+            out[i] = x[xindexes[i]];
+    }
+    else {
+        for (let i = 0; i < 16; i++)
+            out[i] = (y[i] + x[i]) | 0;
+    }
+}
+/** Identical to `chachaCore`. Unused. */
+// @ts-ignore
+const chachaCore_small = (s, k, n, out, cnt, rounds) => chacha(s, k, Uint32Array.from([n[0], n[1], cnt, 0]), out, false, rounds);
+/** Identical to `hchacha`. Unused. */
+// @ts-ignore
+const hchacha_small = chacha;
+/** Identical to `chachaCore_small`. Unused. */
+// prettier-ignore
+function chachaCore(s, k, n, out, cnt, rounds = 20) {
+    let y00 = s[0], y01 = s[1], y02 = s[2], y03 = s[3], // "expa"   "nd 3"  "2-by"  "te k"
+    y04 = k[0], y05 = k[1], y06 = k[2], y07 = k[3], // Key      Key     Key     Key
+    y08 = k[4], y09 = k[5], y10 = k[6], y11 = k[7], // Key      Key     Key     Key
+    y12 = cnt, y13 = n[0], y14 = n[1], y15 = n[2]; // Counter  Counter	Nonce   Nonce
+    // Save state to temporary variables
+    let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
+    for (let r = 0; r < rounds; r += 2) {
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 16);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 12);
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 8);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 7);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 16);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 12);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 8);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 7);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 16);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 12);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 8);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 7);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 16);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 12);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 8);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 7);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 16);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 12);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 8);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 7);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 16);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 12);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 8);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 7);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 16);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 12);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 8);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 7);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 16);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 12);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 8);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 7);
+    }
+    // Write output
+    let oi = 0;
+    out[oi++] = (y00 + x00) | 0;
+    out[oi++] = (y01 + x01) | 0;
+    out[oi++] = (y02 + x02) | 0;
+    out[oi++] = (y03 + x03) | 0;
+    out[oi++] = (y04 + x04) | 0;
+    out[oi++] = (y05 + x05) | 0;
+    out[oi++] = (y06 + x06) | 0;
+    out[oi++] = (y07 + x07) | 0;
+    out[oi++] = (y08 + x08) | 0;
+    out[oi++] = (y09 + x09) | 0;
+    out[oi++] = (y10 + x10) | 0;
+    out[oi++] = (y11 + x11) | 0;
+    out[oi++] = (y12 + x12) | 0;
+    out[oi++] = (y13 + x13) | 0;
+    out[oi++] = (y14 + x14) | 0;
+    out[oi++] = (y15 + x15) | 0;
+}
+/**
+ * hchacha hashes key and nonce into key' and nonce' for xchacha20.
+ * Identical to `hchacha_small`.
+ * Need to find a way to merge it with `chachaCore` without 25% performance hit.
+ */
+// prettier-ignore
+function hchacha(s, k, i, out) {
+    let x00 = s[0], x01 = s[1], x02 = s[2], x03 = s[3], x04 = k[0], x05 = k[1], x06 = k[2], x07 = k[3], x08 = k[4], x09 = k[5], x10 = k[6], x11 = k[7], x12 = i[0], x13 = i[1], x14 = i[2], x15 = i[3];
+    for (let r = 0; r < 20; r += 2) {
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 16);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 12);
+        x00 = (x00 + x04) | 0;
+        x12 = rotl(x12 ^ x00, 8);
+        x08 = (x08 + x12) | 0;
+        x04 = rotl(x04 ^ x08, 7);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 16);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 12);
+        x01 = (x01 + x05) | 0;
+        x13 = rotl(x13 ^ x01, 8);
+        x09 = (x09 + x13) | 0;
+        x05 = rotl(x05 ^ x09, 7);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 16);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 12);
+        x02 = (x02 + x06) | 0;
+        x14 = rotl(x14 ^ x02, 8);
+        x10 = (x10 + x14) | 0;
+        x06 = rotl(x06 ^ x10, 7);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 16);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 12);
+        x03 = (x03 + x07) | 0;
+        x15 = rotl(x15 ^ x03, 8);
+        x11 = (x11 + x15) | 0;
+        x07 = rotl(x07 ^ x11, 7);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 16);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 12);
+        x00 = (x00 + x05) | 0;
+        x15 = rotl(x15 ^ x00, 8);
+        x10 = (x10 + x15) | 0;
+        x05 = rotl(x05 ^ x10, 7);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 16);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 12);
+        x01 = (x01 + x06) | 0;
+        x12 = rotl(x12 ^ x01, 8);
+        x11 = (x11 + x12) | 0;
+        x06 = rotl(x06 ^ x11, 7);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 16);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 12);
+        x02 = (x02 + x07) | 0;
+        x13 = rotl(x13 ^ x02, 8);
+        x08 = (x08 + x13) | 0;
+        x07 = rotl(x07 ^ x08, 7);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 16);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 12);
+        x03 = (x03 + x04) | 0;
+        x14 = rotl(x14 ^ x03, 8);
+        x09 = (x09 + x14) | 0;
+        x04 = rotl(x04 ^ x09, 7);
+    }
+    let oi = 0;
+    out[oi++] = x00;
+    out[oi++] = x01;
+    out[oi++] = x02;
+    out[oi++] = x03;
+    out[oi++] = x12;
+    out[oi++] = x13;
+    out[oi++] = x14;
+    out[oi++] = x15;
+}
+/** Original, non-RFC chacha20 from DJB. 8-byte nonce, 8-byte counter. */
+const chacha20orig = /* @__PURE__ */ createCipher(chachaCore, {
+    counterRight: false,
+    counterLength: 8,
+    allowShortKeys: true,
+});
+/**
+ * ChaCha stream cipher. Conforms to RFC 8439 (IETF, TLS). 12-byte nonce, 4-byte counter.
+ * With smaller nonce, it's not safe to make it random (CSPRNG), due to collision chance.
+ */
+const chacha20 = /* @__PURE__ */ createCipher(chachaCore, {
+    counterRight: false,
+    counterLength: 4,
+    allowShortKeys: false,
+});
+/**
+ * XChaCha eXtended-nonce ChaCha. With 24-byte nonce, it's safe to make it random (CSPRNG).
+ * See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
+ */
+const xchacha20 = /* @__PURE__ */ createCipher(chachaCore, {
+    counterRight: false,
+    counterLength: 8,
+    extendNonceFn: hchacha,
+    allowShortKeys: false,
+});
+/** Reduced 8-round chacha, described in original paper. */
+const chacha8 = /* @__PURE__ */ createCipher(chachaCore, {
+    counterRight: false,
+    counterLength: 4,
+    rounds: 8,
+});
+/** Reduced 12-round chacha, described in original paper. */
+const chacha12 = /* @__PURE__ */ createCipher(chachaCore, {
+    counterRight: false,
+    counterLength: 4,
+    rounds: 12,
+});
+const ZEROS16 = /* @__PURE__ */ new Uint8Array(16);
+// Pad to digest size with zeros
+const updatePadded = (h, msg) => {
+    h.update(msg);
+    const leftover = msg.length % 16;
+    if (leftover)
+        h.update(ZEROS16.subarray(leftover));
+};
+const ZEROS32 = /* @__PURE__ */ new Uint8Array(32);
+function computeTag(fn, key, nonce, ciphertext, AAD) {
+    if (AAD !== undefined)
+        (0,utils.abytes)(AAD, undefined, 'AAD');
+    const authKey = fn(key, nonce, ZEROS32);
+    const lengths = (0,utils.u64Lengths)(ciphertext.length, AAD ? AAD.length : 0, true);
+    // Methods below can be replaced with
+    // return poly1305_computeTag_small(authKey, lengths, ciphertext, AAD)
+    const h = poly1305.create(authKey);
+    if (AAD)
+        updatePadded(h, AAD);
+    updatePadded(h, ciphertext);
+    h.update(lengths);
+    const res = h.digest();
+    (0,utils.clean)(authKey, lengths);
+    return res;
+}
+/**
+ * AEAD algorithm from RFC 8439.
+ * Salsa20 and chacha (RFC 8439) use poly1305 differently.
+ * We could have composed them, but it's hard because of authKey:
+ * In salsa20, authKey changes position in salsa stream.
+ * In chacha, authKey can't be computed inside computeTag, it modifies the counter.
+ */
+const _poly1305_aead = (xorStream) => (key, nonce, AAD) => {
+    const tagLength = 16;
+    return {
+        encrypt(plaintext, output) {
+            const plength = plaintext.length;
+            output = (0,utils.getOutput)(plength + tagLength, output, false);
+            output.set(plaintext);
+            const oPlain = output.subarray(0, -tagLength);
+            // Actual encryption
+            xorStream(key, nonce, oPlain, oPlain, 1);
+            const tag = computeTag(xorStream, key, nonce, oPlain, AAD);
+            output.set(tag, plength); // append tag
+            (0,utils.clean)(tag);
+            return output;
+        },
+        decrypt(ciphertext, output) {
+            output = (0,utils.getOutput)(ciphertext.length - tagLength, output, false);
+            const data = ciphertext.subarray(0, -tagLength);
+            const passedTag = ciphertext.subarray(-tagLength);
+            const tag = computeTag(xorStream, key, nonce, data, AAD);
+            if (!(0,utils.equalBytes)(passedTag, tag))
+                throw new Error('invalid tag');
+            output.set(ciphertext.subarray(0, -tagLength));
+            // Actual decryption
+            xorStream(key, nonce, output, output, 1); // start stream with i=1
+            (0,utils.clean)(tag);
+            return output;
+        },
+    };
+};
+/**
+ * ChaCha20-Poly1305 from RFC 8439.
+ *
+ * Unsafe to use random nonces under the same key, due to collision chance.
+ * Prefer XChaCha instead.
+ */
+const chacha20poly1305 = /* @__PURE__ */ (0,utils.wrapCipher)({ blockSize: 64, nonceLength: 12, tagLength: 16 }, _poly1305_aead(chacha20));
+/**
+ * XChaCha20-Poly1305 extended-nonce chacha.
+ *
+ * Can be safely used with random nonces (CSPRNG).
+ * See [IRTF draft](https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-xchacha).
+ */
+const xchacha20poly1305 = /* @__PURE__ */ (0,utils.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, _poly1305_aead(xchacha20));
+/**
+ * Chacha20 CSPRNG (cryptographically secure pseudorandom number generator).
+ * It's best to limit usage to non-production, non-critical cases: for example, test-only.
+ * Compatible with libtomcrypt. It does not have a specification, so unclear how secure it is.
+ */
+const rngChacha20 = /* @__PURE__ */ createPRG(chacha20orig, 64, 32, 8);
+/**
+ * Chacha20/8 CSPRNG (cryptographically secure pseudorandom number generator).
+ * It's best to limit usage to non-production, non-critical cases: for example, test-only.
+ * Faster than `rngChacha20`.
+ */
+const rngChacha8 = /* @__PURE__ */ createPRG(chacha8, 64, 32, 12);
+//# sourceMappingURL=chacha.js.map
+
+/***/ })
+
+}]);
+//# sourceMappingURL=defaultVendors-node_modules_noble_ciphers_chacha_js.shogun-core.js.map